The problem is a password hash is a fixed length regardless of the password, so if this is implemented correctly there is no need for a maximum 0assword length. These things raise my security flag because it makes me think they are storing the password in plain text instead of doing proper practice and storing the hash only.